Re: [DNSOP] Draft for dynamic discovery of secure resolvers

Doug Barton <dougb@dougbarton.us> Sun, 19 August 2018 16:43 UTC

Return-Path: <dougb@dougbarton.us>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D7ACD130E80 for <dnsop@ietfa.amsl.com>; Sun, 19 Aug 2018 09:43:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Level:
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=dougbarton.us
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6dL38TYnxJ-D for <dnsop@ietfa.amsl.com>; Sun, 19 Aug 2018 09:43:22 -0700 (PDT)
Received: from dougbarton.us (dougbarton.us [IPv6:2607:f2f8:ab14::2]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8CCCB130E7B for <dnsop@ietf.org>; Sun, 19 Aug 2018 09:43:22 -0700 (PDT)
Received: from [192.168.10.247] (71-9-84-238.dhcp.snbr.ca.charter.com [71.9.84.238]) by dougbarton.us (Postfix) with ESMTPSA id 33EA479C for <dnsop@ietf.org>; Sun, 19 Aug 2018 09:43:22 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=dougbarton.us; s=dkim; t=1534697002; bh=gZoIRKQsK+HemuTlvneRI/M75W93WywMXn+Lx98bAWk=; h=Subject:To:References:From:Date:In-Reply-To:From; b=GoJyH/okh1xdVz2R1+06qJr40NJ8N7Hd6KwloOD24eQf/jJi0By6Y3dmO3xkwOVXP qHpeyQLZivAGY4OOE5J/vSJvBIhnWHqRQHNWGJsUm5jJAqD4bLpijjnXk/iGPa0vxd sxSRan3kVZu9r0QXNLj1iVWlkicBCYnim9CE5st0=
To: dnsop@ietf.org
References: <CAC=TB13mUH2SDxFb4c3rOz0-Z6PE_r9i84_xK=dmLxiVr45+tA@mail.gmail.com> <CAPt1N1=-792WkQmbTigPdqOh0dONykYycG0hheOecoQa4ai=Hw@mail.gmail.com> <CAC=TB11tG4o0dkavXGb20=DGBCrmVoRP60bpzsvq5=Q0zFjhDg@mail.gmail.com> <CAPt1N1kj7Y0dPLeDk=PMqQEpAd-Mvds6VLT8XUC1BYOfdyUbJA@mail.gmail.com> <CAC=TB125M81nwiCTNr8Vbee+Z7Fh_3L+6EdZ8evXVzP-2ji4fg@mail.gmail.com> <CAPt1N1n9hDUZQ-Ltvs73T20=fpG-FR_j-t4m0kMapDiv2Us1kw@mail.gmail.com> <5B78BFB9.40103@redbarn.org> <CAPt1N1nEH86yPvtoNqJ+xM-OFunEqr2x8s2LV_yFU1fkVt9WUQ@mail.gmail.com>
From: Doug Barton <dougb@dougbarton.us>
Message-ID: <53074d98-a8ef-9127-edc7-d3e3188c2453@dougbarton.us>
Date: Sun, 19 Aug 2018 09:43:21 -0700
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.9.1
MIME-Version: 1.0
In-Reply-To: <CAPt1N1nEH86yPvtoNqJ+xM-OFunEqr2x8s2LV_yFU1fkVt9WUQ@mail.gmail.com>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Language: en-US
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/wSpT6jilfg0OFj1PvGGnWShyxpg>
Subject: Re: [DNSOP] Draft for dynamic discovery of secure resolvers
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 19 Aug 2018 16:43:25 -0000

On 08/18/2018 06:08 PM, Ted Lemon wrote:
> The thing is that most devices don't connect to just one network.   So 
> while your devices on your network can certainly trust port 853 on your 
> network, when they roam to other networks, they have no reason to trust 
> it.   If you have devices that never roam to other networks, that's 
> fine, but we have to design for the more general case.   There's no way 
> with DHCP for the device to tell that it's connected to a particular 
> network, other than matching IP addresses, which isn't a great idea.

Ted,

I'd like to turn your question back to you. What threat model are you 
protecting the user from by not allowing a DHCP option to use a DOH or 
DOT server?

It seems to me that in the overwhelming majority of cases (near 100%) 
the user is going to get their local resolver from the DHCP server, 
whether they are on a trusted network (like work or home), or roaming at 
Eve's Coffee Shop.

So either you have a sophisticated user who has preconfigured their own 
resolver and ignores the DHCP setting, or you have the typical user who 
doesn't understand how any of this stuff works, and therefore has 
implicit "trust" regarding the local network and the settings from the 
DHCP server.

Given that (and feel free to tell me if I've missed something), what 
harm can come to the user if the resolver that they are already trusting 
can also be accessed over DOH or DOT?

Doug